[Zope] Re: Aquisition, UserFolder and security

Tres Seaver tseaver at palladion.com
Fri Sep 30 08:57:36 EDT 2005


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

bruno modulix wrote:

> Dieter, I didn't misunderstood your proposed solution. But some users
> exist in different CPMs with different roles in each CPM. So - unless
> I'm totally at lost with how Zope's security works - if User1 has role
> RoleWithMuchPrivileges in Cpm1 and role RoleWithFewPrivileges in Cpm2,
> he could gain RoleWithMuchPrivileges in Cpm2 just by using faked url
> cpm1/cpm2/whatever_he_should_not_access_here. Worse, anyone existing in
> any CPM could gain access to any other CPM just by faking url.

The Zope security machinery goes out of its way to prevent such an
exploit:  essentially, it considers only "containment" acquisition when
evaluating roles, etc.


Tres.
- --
===================================================================
Tres Seaver          +1 202-558-7113          tseaver at palladion.com
Palladion Software   "Excellence by Design"    http://palladion.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDPTZA+gerLs4ltQ4RApDKAKC60CDyD0rIdCN/CC8dMmPbreeAKACZAUB3
cX01OZuxOaIL1hNnXS1NxrI=
=VlQo
-----END PGP SIGNATURE-----



More information about the Zope mailing list